• Convergence Security Journal
• /
• v.19 no.1
• /
• pp.11-17
• /
• 2019

Recently, the abuse of Internet technology has caused economic and mental harm to society as a whole. Especially, malicious code that is newly created or modified is used as a basic means of various application hacking and cyber security threats by bypassing the existing information protection system. However, research on small-capacity executable files that occupy a large portion of actual malicious code is rather limited. In this paper, we propose a model that can analyze the characteristics of known small capacity executable files by using data mining techniques and to use them for detecting unknown malicious codes. Data mining analysis techniques were performed in various ways such as Naive Bayesian, SVM, decision tree, random forest, artificial neural network, and the accuracy was compared according to the detection level of virustotal. As a result, more than 80% classification accuracy was verified for 34,646 analysis files.

• Smart Media Journal
• /
• v.8 no.1
• /
• pp.19-26
• /
• 2019

At the opening ceremony of 2018 Winter Olympics in PyeongChang, an unknown cyber-attack occurred. The malicious code used in the attack is based on in-memory malware, which differs from other malicious code in its concealed location and is spreading rapidly to be found in more than 140 banks, telecommunications and government agencies. In-memory malware accounts for more than 15% of all malicious codes, and it does not store its own information in a non-volatile storage device such as a disk but resides in a RAM, a volatile storage device and penetrates into well-known processes (explorer.exe, iexplore.exe, javaw.exe). Such characteristics make it difficult to analyze it. The most recently released in-memory malicious code bypasses the endpoint protection and detection tools and hides from the user recognition. In this paper, we propose a method to efficiently extract the payload by unpacking injection through IDA Pro debugger for Dorkbot and Erger, which are in-memory malicious codes.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.25 no.10
• /
• pp.1391-1396
• /
• 2021

The boundary-based security system has the advantage of high operational efficiency and easy management of security solutions, and is suitable for denying external security threats. However, since it is operated on the premise of a trusted user, it is not suitable to deny security threats that occur from within. A zero trust access control model was proposed to solve this problem of the boundary-based security system. In the zero trust access control model, the security requirements for real-time security event monitoring must be satisfied. In this study, we propose a monitoring method for the most basic file access among real-time monitoring functions. The proposed monitoring method operates at the kernel level and has the advantage of fundamentally preventing monitoring evasion due to the user's file bypass access. However, this study focuses on the monitoring method, so additional research to extend it to the access control function should be continued.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.23 no.11
• /
• pp.1451-1461
• /
• 2019

DNS spoofing is an attack in which an attacker intervenes in the communication between client and DNS server to deceive DNS server by responding to a fake IP address rather than actual IP address. It is possible to implement a pharming site that hacks user ID and password by duplicating web server's index page and simple web programming. In this paper we have studied web spoofing attack that combines DNS spoofing and pharming site implementation which leads to farming site. We have studied DNS spoofing attack method, procedure and farming site implementation method for portal server of this university. In the case of Kyungsung Portal, bypassing attack and hacking were possible even though the web server was SSL encrypted and secure authentication. Many web servers do not have security measures, and even web servers secured by SSL can be disabled. So it is necessary that these serious risks are to be informed and countermeasures are to be researched.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1067-1078
• /
• 2020

With the development of internet technology, a lot of content is produced, and the demand for it is increasing. Accordingly, the number of contents in circulation is increasing, while the number of distributing illegal copies that infringe on copyright is also increasing. The Korea Copyright Protection Agency operates a illegal content obstruction program based on substring matching, and it is difficult to accurately search because a large number of noises are inserted to bypass this. Recently, researches using natural language processing and AI deep learning technologies to remove noise and various blockchain technologies for copyright protection are being studied, but there are limitations. In this paper, noise is removed from data collected online, and keyword-based illegal copies are searched. In addition, the same heavy uploader is estimated through profiling analysis for heavy uploaders. In the future, it is expected that copyright damage will be minimized if the illegal copy search technology and blocking and response technology are combined based on the results of profiling analysis for heavy uploaders.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.6
• /
• pp.1247-1254
• /
• 2020

With the advent of the smart home era, equipment that provides confidentiality or performs authentication exists in various places in real life. Accordingly security against physical attacks is required for encryption equipment and authentication equipment. In particular, fault injection attack that artificially inject a fault from the outside to recover a secret key or bypass an authentication process is one of the very threatening attack methods. Fault sources used in fault injection attacks include lasers, electromagnetic, voltage glitches, and clock glitches. Fault injection attacks are classified into single fault injection attacks and multiple fault injection attacks according to the number of faults injected. Existing multiple fault injection systems generally use a single fault source. The system configured to inject a single source of fault multiple times has disadvantages that there is a physical delay time and additional equipment is required. In this paper, we propose a multiple fault injection system using heterogeneous fault sources. In addition, to show the effectiveness of the proposed system, the results of a multiple fault injection attack against Riscure's Piñata board are shown.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.2
• /
• pp.171-179
• /
• 2022

Self-Modifying-Code is a code that changes the code by itself during execution time. This technique is particularly abused by malicious code to bypass static analysis. Therefor, in order to effectively detect such malicious codes, it is important to identify self-modifying-codes. In the meantime, Self-modify-codes have been analyzed using dynamic analysis methods, but this is time-consuming and costly. If static analysis can detect self-modifying-code it will be of great help to malicious code analysis. In this paper, we propose a static analysis method to detect self-modified code for binary executable programs converted to LLVM IR and apply this method by making a self-modifying-code benchmark. As a result of the experiment in this paper, the designed static analysis method was effective for the standardized LLVM IR program that was compiled and converted to the benchmark program. However, there was a limitation in that it was difficult to detect the self-modifying-code for the unstructured LLVM IR program in which the binary was lifted and transformed. To overcome this, we need an effective way to lift the binary code.

• Journal of the Korean Society for Library and Information Science
• /
• v.56 no.4
• /
• pp.473-490
• /
• 2022

This study was conducted to examine Sci-Hub, which provides the original text of academic papers to be provided for a fee by bypassing copyright, and to establish a basic basis for understanding the usage behavior of researchers with access restriction in Korea by analyzing the domestic Sci-Hub usage based on the dataset released by Sci-Hub in 2017. Therefore, after grasping the current status of the world related to Sci-Hub, the categories were set and analyzed by region where the dataset was downloaded, subject matter of academic papers, publisher, OA status, and published year. As a result of the study, the most downloaded areas were Seoul and the metropolitan area, and papers and journals in the field of natural science were downloaded the most, and about 20% of papers were in Open Access state. The papers published between 2010 and 2017 were the most downloaded, and IEEE's papers were the most downloaded, showing that recently published academic papers in the natural sciences were the most downloaded by the time they were downloaded.

• Journal of the Korea Society of Computer and Information
• /
• v.27 no.5
• /
• pp.149-156
• /
• 2022

Recently, there have been many reports of document-type malicious code injecting malicious code into Microsoft Office files. Document-type malicious code is often hidden by encoding the malicious code in the document. Therefore, document-type malware can easily bypass anti-virus programs. We found that malicious code was inserted into the Visual Basic for Applications (VBA) macro, a function supported by Microsoft Office. Malicious codes such as shellcodes that run external programs and URL-related codes that download files from external URLs were identified. We selected 354 keywords repeatedly appearing in malicious Microsoft Office files and defined the number of times each keyword appears in the body of the document as a feature. We performed machine learning with SVM, naïve Bayes, logistic regression, and random forest algorithms. As a result, each algorithm showed accuracies of 0.994, 0.659, 0.995, and 0.998, respectively.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.2
• /
• pp.181-192
• /
• 2022

The emergence of new malware is incapacitating existing signature-based malware detection techniques., and applying various anti-analysis techniques makes it difficult to analyze. Recent studies related to signature-based malware detection have limitations in that malware creators can easily bypass them. Therefore, in this study, we try to build a machine learning model that can detect and classify the anti-analysis techniques of packers applied to malware, not using the characteristics of the malware itself. In this study, the n-gram opcodes are extracted from the malicious binary to which various anti-analysis techniques of the commercial packers are applied, and the features are extracted by using TF-IDF, and through this, each anti-analysis technique is detected and classified. In this study, real-world malware samples packed using The mida and VMProtect with multiple anti-analysis techniques were trained and tested with 6 machine learning models, and it constructed the optimal model showing 81.25% accuracy for The mida and 95.65% accuracy for VMProtect.